DOCSLIB.ORG

Numbers AES-GCM Efficiency, 154 0-RITT Data, 245 Internals, 152–153 2G Mobile Communications, 89 Security, 154 3DES (Triple DES), 59, 72–74

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

INDEX Numbers AES-GCM efficiency, 154 0-RITT data, 245 internals, 152–153 2G mobile communications, 89 security, 154 3DES (triple DES), 59, 72–74. See also and small tags, 161 DES (Data Encryption and weak hash keys, 159–161 Standard) AES native instructions (AES-NI), 3G mobile communications, 91, 128 63–64 4G mobile communications, 78, 91, AEZ, 161–162 128, 129 AKA (authenticated key agreement), 205–207 A algebraic attacks, 85 Alvisi, Lorenzo, 125 A5/1, 18, 88–91 amplitude, 252–253 Aaronson, Scott, 171, 178, 259, 269 Apple, 218, 231 Advanced Encryption Standard (AES), application-specific integrated circuit 53, 59 (ASIC), 79 AddRoundKey, 60 associated data, 149 block size, 54 asymmetric encryption, 1, 15. vs. DES, 59, 80 See also RSA and GCM, 152–154, 159, 161 (Rivest–Shamir–Adleman) implementations, 62–64 attack costs, 43–44 internals, 59–62 attack models, 10 KeyExpansion, 60 black-box, 11–12 MixColumns, 60 for key agreement protocols, 207 with Poly1305, 138 gray-box, 12 and provable security, 48 authenticated ciphers, 148 security of, 65 with associated data, 149 ShiftRows, 60 functional criteria, 151–152 SubBytes, 60 nonces, 149–150 and TLS 1.3, 243–244 online, 151 Advanced Vector Extensions (AVX), 55 performance, 150–151 AE. See authenticated encryption (AE) permutation-based, 157–158 AEAD (authenticated encryption with security, 150 associated data), 16, 149, streamability, 151 157–158 authenticated decryption, 148 AES. See Advanced Encryption authenticated Diffie–Hellman, 210–213 Standard (AES) authenticated encryption (AE), 16, 145 AES-CBC, 69 AES-GCM, 152–154, 159–161 AESENC instruction, 64 autheticated ciphers, 148–152 AESENCLAST instruction, 64 OCB, 155–156 authenticated encryption (AE), padding oracle attacks, 74–75 continued rounds, 56 permutation-based AEAD, 157–158 round keys, 56–57 SIV, 156–157 security goals, 54 using MACs, 146 –148 slide attacks, 56–57 authenticated encryption with substitution–permutation networks, associated data (AEAD), 16, 57–58 149, 157–158 Bluetooth, 78 authenticated key agreement Boneh, Dan, 199 (AKA), 205–207 Bos, Joppe W., 233 authentication tag, 16. See also broadcast attack model, 95 authenticated encryption Brumley, David, 199 (AE); MACs (message brute-force attacks, 41, 90 authentication codes) AVX (Advanced Vector Extensions), 55 C CA (certificate authority), 238–240, B 247–248 backtracking resistance, 26 cache-timing attacks, 63 backward secrecy, 26 Caesar cipher, 2–3 BcryptGenRandom() function, 33–34 CAESAR competition, 161 Bellare, Mihir, 143 Canetti, Ran, 143 Bellaso, Giovan Battista, 3 carry-less multiplication (CLMUL), 153 Bellcore attack, 196–197 CBC. See cipher block chaining (CBC) Bernstein, Daniel J., 52, 95, 100, 136, CBC-MAC, 134 139, 230, 231, 261 CCA (chosen-ciphertext attackers), 11 big-number libraries, 192 CCM (counter with CBC-MAC), binary exponentiation, 192 162, 243 birthday attacks, 109 CDH (computational birthday paradox, 109 Diffie–Hellman), 204 Bitcoin, 106 certificate authority (CA), 238–240, bit security, 42–43 247–248 BLAKE, 120 certificate chain, 239, 247 BLAKE2, 215, 226 ChaCha20, 95, 120, 138, 243–244 BLAKE2b, 123 chaining values, 112 BLAKE2s, 123 Chinese remainder theorem (CRT), compression function, 124 195–196 design rationale, 123 chosen-ciphertext attackers (CCA), 11 blinding attacks, 189 chosen-message attacks, 129 block ciphers, 53. See also Advanced chosen-plaintext attackers (CPA), 11 Encryption Standard (AES) Chrome browser, 118, 231 block size, 54–55 Chuang, Isaac, 269 CBC mode, 67–70 ciphers, 1 codebook attacks, 55 cipher-based MAC (CMAC), 134–135 CTR mode, 71–72 cipher block chaining (CBC), 67–69. decryption algorithm, 54 ciphertext stealing, 70 ECB mode, 65–67 padding, 69–70 encryption algorithm, 54 padding oracle attacks, 74 Feistel schemes, 58–59 ciphertext, 2 key schedule, 56 ciphertext-only attackers (COA), 11 meet-in-the-middle attacks, 72–74 ciphertext stealing, 70 modes of operation, 65 C language, 63 272 Index Clay Mathematics Institute, 46, 171 CRT (Chinese remainder theorem), client certificate, 246 195–196 clique problem, 169 CryptAcquireContext() function, 34 CLMUL (carry-less multiplication), 153 CryptGenRandom() function, 33–34 closest vector problem (CVP), 264–265 Crypto++, 199 CMAC (cipher-based MAC), 134–135 Cryptocat, 37 CMAC-AES, 157 cryptographic security, 39. See also ciphertext-only attackers (COA), 11 security code-based cryptography, 263–264 CTR (counter mode), 71–72, 91, 152 codebook attacks, 55, 90–91 cube attacks, 85 Codenomicon, 248 Curve448, 244 coding problems, 179 Curve25519, 230–231, 244 Cohen, Henri, 233 Curve41417, 231 Cold War, 53 CVP (closest vector problem), 264–265 collision resistance, 109, 113 cyclic redundancy checks (CRCs), 106 complexity. See computational complexity D complexity class, 168 complex numbers, 253 Dahlin, Mike, 125 compression functions, 111 Damgård, Ivan, 111, 126 in BLAKE2, 124 Data Encryption Standard. See DES Davies–Meyer construction, 114 (Data Encryption Standard) in Merkle–Damgård construction, Datagram Transport Layer Security 112–113 (DTLS), 237 in SHA-1, 117 Davies–Meyer construction, 114, computational complexity, 164 117, 124 bounds, 167 decisional Diffie–Hellman (DDH) classes, 168 assumption, 205 comparison, 166 problem, 204–205 constant factors, 165 decryption, 2 constant time, 166 dedicated hardware, 79 exponential, 165, 167 DeMillo, Richard A., 199 exponential factorial, 167 DES (Data Encryption Standard), 53, 80 linear, 165 3DES, 59, 72–74 linearithmic, 165 vs. AES, 59, 80 polynomial, 166–168 block size, 54 quadratic, 165 double DES, 73 superpolynomial, 166–168 Feistel schemes in, 58–59 computational complexity theory, 163 deterministic random bit generator computational Diffie–Hellman (DRBG), 14, 25, 78 (CDH), 204 /dev/random, 32–33 computational hardness, 164 /dev/urandom, 30–32 computational security, 40–41 Diehard, 29 confidentiality, 1, 106 differential cryptanalysis, 98–99 confusion, 57 Diffie, Whitfield, 201 constant-time implementations, 142 Diffie–Hellman problem, 178 Coppersmith, Don, 199 Diffie–Hellman (DH) protocol, 201 counter mode (CTR), 71–72, 91, 152 anonymous, 209–210 counter with CBC-MAC (CCM), authenticated, 210–213 162, 243 CDH problem, 204 CPA (chosen-plaintext attackers), 11 DDH problem, 204–205 CRCs (cyclic redundancy checks), 106 function, 202 Index 273 Diffie–Hellman (DH) protocol, with integers, 219–220 continued NIST curves, 230 generating parameters, 202–203 order, 224 and key agreement, 205–208, point at infinity, 222, 224 225–229 point doubling, 222–223 MQV protocol, 213–214 point multiplying, 223 and shared secrets, 202, 214–215 prime curves, 230 in TLS, 215, 242–243 Weierstrass form, 218 twin problem, 205 elliptic-curve cryptography (ECC), 217 unsafe group parameters, 215–216 elliptic-curve Diffie-Hellman(ECDH), diffusion, 57 226, 232–233 digest, 106 elliptic curve digital signature DigiNotar, 248 algorithm (ECDSA), 226 digital signatures, 106, 182, 188–189 and bad randomness, 232 discrete logarithm problem (DLP), vs. RSA signatures, 227–228 174 –176 signature generation, 226 and CDH problem, 204 signature verification, 226–227 ECDLP, 224–225 elliptic curve discrete logarithm and Shor’s algorithm, 259, 260 problem (ECDLP), 224–225 distribution. See probability elliptic curve integrated encryption distribution scheme (ECIES), 229 drand48, 28 embarassingly parallel, 43, 90 DRBG (deterministic random bit Encapsulating Security Payload generator), 14, 25, 78 (ESP), 241 DTLS (Datagram Transport Layer encrypt-and-MAC, 146 –147 Security), 237 encryption, 1 Durumeric, Zakir, 36 asymmetric, 15 at-rest, 15 in-transit, 15 E randomized, 13 ECB (electronic codebook), 65–67 security, 9 ECC (elliptic-curve cryptography), 217 encrypt-then-MAC, 147–148, 152 ECDH (elliptic-curve Diffie-Hellman), entanglement, 252, 255 226, 232–233 entropy, 23–24, 35–36 ECDSA. See elliptic curve digital entropy pool, 25 signature algorithm EPR (Einstein–Podolsky–Rosen) (ECDSA) paradox, 252 ECDLP (elliptic curve discrete error-correcting codes, 263 logarithm problem), ESP (Encapsulating Security 224–225 Payload), 241 ECIES (elliptic curve integrated eSTREAM competition, 86, 103 encryption scheme), 229 eth roots, 185 Ed448-Goldilocks, 231 Euler’s theorem, 198 Einstein–Podolsky–Rosen (EPR) Euler’s totient function, 183 paradox, 252 exponentiation, 192, 194 elliptic curves, 217–218, 244 extended Euclidean algorithm, 184 addition law, 221 Curve448, 244 Curve25519, 230–231 F Curve41417, 231 factorials, 6 Edwards curves, 219 factoring methods, 172 groups, 224 274 Index factoring problem, 46, 171 general number field sieve (GNFS), and NP-completeness, 173–174 173, 204 solving with Shor’s algorithm, getrandom() system call, 33 259–260 GHASH, 152–154, 159–160 factorization, 172–173, 176 –177 Gilbert, E.N., 136 fast correlation attacks, 85 Git, 105 fault injection, 196–197 GitHub, 51 FDH (Full Domain Hash), 190–191 Gmail, 248 feedback shift registers (FSRs), 80–82 GMR-1, 103 cycle, 82 GMR-2, 103 feedback function, 80 GNFS (general number field sieve), linear, 83–85 173, 204 nonlinear, 86 GNU Multiple Precision (GMP), 192 period, 82 GnuPG, 52 Feistel schemes, 58–59 Go, 140, 191, 193 Ferguson, Niels, 26, 161 Goldberg, Ian, 35 FHE (fully homomorphic Goldwasser, Shafi, 19 encryption), 17 Google, 118, 248 field-programmable gate array Chrome, 231 (FPGA), 79 Internet Authority, 239 filtered LFSR, 85 GOST, 53, 59 first-preimage resistance, 108 Govaerts, René, 126 fixed points, 114 Government Communications Flame, 126 Headquarters (GCHQ), 202 forgery attacks, 128 Grain-128a,
Recommended publications
  • GMR-1 and GMR-2) and finally a Widely Deployed Digital Locking System

    GMR-1 and GMR-2) and finally a Widely Deployed Digital Locking System

    PRACTICAL CRYPTANALYSIS OF REAL-WORLD SYSTEMS An Engineer’s Approach DISSERTATION zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum Benedikt Driessen Bochum, July 2013 Practical Cryptanalysis of Real-World Systems Thesis Advisor Prof. Christof Paar, Ruhr-Universität Bochum, Germany External Referee Prof. Ross Anderson, University of Cambridge, England Date of submission May 22, 2013 Date of defense July 9, 2013 Date of last revision July 16, 2013 To Ursula and Walter, my parents. iii Abstract This thesis is dedicated to the analysis of symmetric cryptographic algorithms. More specifically, this doc- ument focuses on proprietary constructions found in four globally distributed systems. All of these con- structions were uncovered by means of reverse engineering, three of them while working on this thesis, but only one by the author of this document. The recovered designs were subsequently analyzed and attacked. Targeted systems range from the GSM standard for mobile communication to the two major standards for satellite communication (GMR-1 and GMR-2) and finally a widely deployed digital locking system. Surpris- ingly, although much progress has been made in the area of specialized cryptography, our attacks on the newly reverse engineered systems show that even younger designs still suffer from severe design flaws. The GSM stream ciphers A5/1 and A5/2 were reverse engineered and cryptanalyzed more than a decade ago. While the published attacks can nowadays be implemented and executed in practice, they also inspired our research into alternative, more efficient hardware architectures. In this work, we first propose a design to solve linear equation systems with binary coefficients in an unconventional, but supposedly fast way.
  • Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor

    Hello, and Welcome to This Presentation of the STM32MP1 Hash Processor

    Hello, and welcome to this presentation of the STM32MP1 hash processor. 1 Hash peripheral is in charge of efficient computing of message digest. A digest is a fixed-length value computed from an input message. A digest is unique - it is virtually impossible to find two messages with the same digest. The original message cannot be retrieved from its digest. Hash digests and Hash-based Message Authentication Code (HMAC) are widely used in communication since they are used to guarantee the integrity and authentication of a transfer. 2 HASH1 is a secure peripheral (under ETZPC control through ETZPC_DECPROT0 bit 8) while HASH2 is a non secure peripheral. HASH1 instance can be allocated to: • The Arm® Cortex®-A7 secure core to be controlled in OP-TEE by the HASH OP-TEE driver or • The Arm® Cortex® -A7 non-secure core for using in Linux® with Linux Crypto framework HASH2 instance can be allocated to the Arm® Cortex®-M4 core to be controlled in the STM32Cube MPU Package using the STM32Cube HASH driver. HASH1 instance is used as boot device to support binary authentication. 3 The hash processor supports widely used hash functions including Message Digest 5 (MD5), Secure Hash Algorithm SHA-1 and the more recent SHA-2 with its 224- and 256-bit digest length versions. A hash can also be generated with a secrete-key to produce a message authentication code (MAC). The processor supports bit, byte and half-word swapping. It supports also automatic padding of input data for block alignment. The processor can be used in conjunction with the DMA for automatic processor feeding.
  • Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140

    Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140

    Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140‐2 Cryptographic Module Non‐Proprietary Security Policy Version: 1.6 Date: March 16, 2016 Copyright Medtronic Care Management Services 2016 Version 1.6 Page 1 of 14 Medtronic Care Management Services Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction .................................................................................................................... 4 1.1 Cryptographic Boundary ..............................................................................................................5 1.2 Mode of Operation .......................................................................................................................5 2 Cryptographic Functionality ............................................................................................. 6 2.1 Critical Security Parameters .........................................................................................................7 2.2 Public Keys ....................................................................................................................................8 3 Roles, Authentication and Services .................................................................................. 8 3.1 Assumption of Roles .....................................................................................................................8 3.2 Services and CSP Access Rights ....................................................................................................8
  • TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification

    TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification

    ETSI TS 101 377-3-10 V1.1.1 (2001-03) Technical Specification GEO-Mobile Radio Interface Specifications; Part 3: Network specifications; Sub-part 10: Security Related Network Functions; GMR-2 03.020 GMR-2 03.020 2 ETSI TS 101 377-3-10 V1.1.1 (2001-03) Reference DTS/SES-002-03020 Keywords GMR, GSM, GSO, interface, MES, mobile, MSS, network, radio, satellite, security, S-PCN ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
  • Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS

    Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGNOF CRYPTOGRAPHIC ACCELERATORS

    Title Hardware design of cryptographic accelerators Author(s) Baldwin, Brian John Publication date 2013 Original citation Baldwin, B.J., 2013. Hardware design of cryptographic accelerators. PhD Thesis, University College Cork. Type of publication Doctoral thesis Rights © 2013. Brian J. Baldwin http://creativecommons.org/licenses/by-nc-nd/3.0/ Embargo information No embargo required Item downloaded http://hdl.handle.net/10468/1112 from Downloaded on 2017-02-12T13:16:07Z HARDWARE DESIGN OF CRYPTOGRAPHIC ACCELERATORS by BRIAN BALDWIN Thesis submitted for the degree of PHD from the Department of Electrical Engineering National University of Ireland University College, Cork, Ireland May 7, 2013 Supervisor: Dr. William P. Marnane “What I cannot create, I do not understand” - Richard Feynman; on his blackboard at time of death in 1988. Contents 1 Introduction 1 1.1 Motivation...................................... 1 1.2 ThesisAims..................................... 3 1.3 ThesisOutline................................... 6 2 Background 9 2.1 Introduction.................................... 9 2.2 IntroductiontoCryptography. ...... 10 2.3 MathematicalBackground . ... 13 2.3.1 Groups ................................... 13 2.3.2 Rings .................................... 14 2.3.3 Fields.................................... 15 2.3.4 FiniteFields ................................ 16 2.4 EllipticCurves .................................. 17 2.4.1 TheGroupLaw............................... 18 2.4.2 EllipticCurvesoverPrimeFields . .... 19 2.5 CryptographicPrimitives&Protocols
  • A Note on Random Number Generation

    A Note on Random Number Generation

    A note on random number generation Christophe Dutang and Diethelm Wuertz September 2009 1 1 INTRODUCTION 2 \Nothing in Nature is random. number generation. By \random numbers", we a thing appears random only through mean random variates of the uniform U(0; 1) the incompleteness of our knowledge." distribution. More complex distributions can Spinoza, Ethics I1. be generated with uniform variates and rejection or inversion methods. Pseudo random number generation aims to seem random whereas quasi random number generation aims to be determin- istic but well equidistributed. 1 Introduction Those familiars with algorithms such as linear congruential generation, Mersenne-Twister type algorithms, and low discrepancy sequences should Random simulation has long been a very popular go directly to the next section. and well studied field of mathematics. There exists a wide range of applications in biology, finance, insurance, physics and many others. So 2.1 Pseudo random generation simulations of random numbers are crucial. In this note, we describe the most random number algorithms At the beginning of the nineties, there was no state-of-the-art algorithms to generate pseudo Let us recall the only things, that are truly ran- random numbers. And the article of Park & dom, are the measurement of physical phenomena Miller (1988) entitled Random generators: good such as thermal noises of semiconductor chips or ones are hard to find is a clear proof. radioactive sources2. Despite this fact, most users thought the rand The only way to simulate some randomness function they used was good, because of a short on computers are carried out by deterministic period and a term to term dependence.
  • Overview of the Mceliece Cryptosystem and Its Security

    Overview of the Mceliece Cryptosystem and Its Security

    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.2478/tmmp-2014-0025 Tatra Mt. Math. Publ. 60 (2014), 57–83 OVERVIEW OF THE MCELIECE CRYPTOSYSTEM AND ITS SECURITY Marek Repka — Pavol Zajac ABSTRACT. McEliece cryptosystem (MECS) is one of the oldest public key cryptosystems, and the oldest PKC that is conjectured to be post-quantum se- cure. In this paper we survey the current state of the implementation issues and security of MECS, and its variants. In the first part we focus on general decoding problem, structural attacks, and the selection of parameters in general. We sum- marize the details of MECS based on irreducible binary Goppa codes, and review some of the implementation challenges for this system. Furthermore, we survey various proposals that use alternative codes for MECS, and point out some at- tacks on modified systems. Finally, we review notable existing implementations on low-resource platforms, and conclude with the topic of side channels in the implementations of MECS. 1. Introduction R. J. M c E l i e c e proposed in 1978 [37] a new public key cryptosystem based on the theory of algebraic codes, now called the McEliece Cryptosystem (MECS). Unlike RSA, it was not adopted by the implementers, mainly due to large public key sizes. The interest of researchers in MECS increased with the advent of quantum computing. Unlike systems based on integer factorisation problem and discrete logarithm problem, MECS security is based on the general decoding problem which is NP hard and should resist also attackers with access to the quantum computer. In this article we provide an overview of the MECS, in its original form, and its alternatives.
  • Package 'Randtoolbox'

    Package 'Randtoolbox'

    Package ‘randtoolbox’ January 31, 2020 Type Package Title Toolbox for Pseudo and Quasi Random Number Generation and Random Generator Tests Version 1.30.1 Author R port by Yohan Chalabi, Christophe Dutang, Petr Savicky and Di- ethelm Wuertz with some underlying C codes of (i) the SFMT algorithm from M. Mat- sumoto and M. Saito, (ii) the Knuth-TAOCP RNG from D. Knuth. Maintainer Christophe Dutang <[email protected]> Description Provides (1) pseudo random generators - general linear congruential generators, multiple recursive generators and generalized feedback shift register (SF-Mersenne Twister algorithm and WELL generators); (2) quasi random generators - the Torus algorithm, the Sobol sequence, the Halton sequence (including the Van der Corput sequence) and (3) some generator tests - the gap test, the serial test, the poker test. See e.g. Gentle (2003) <doi:10.1007/b97336>. The package can be provided without the rngWELL dependency on demand. Take a look at the Distribution task view of types and tests of random number generators. Version in Memoriam of Diethelm and Barbara Wuertz. Depends rngWELL (>= 0.10-1) License BSD_3_clause + file LICENSE NeedsCompilation yes Repository CRAN Date/Publication 2020-01-31 10:17:00 UTC R topics documented: randtoolbox-package . .2 auxiliary . .3 coll.test . .4 coll.test.sparse . .6 freq.test . .8 gap.test . .9 get.primes . 11 1 2 randtoolbox-package getWELLState . 12 order.test . 12 poker.test . 14 pseudoRNG . 16 quasiRNG . 22 rngWELLScriptR . 26 runifInterface . 27 serial.test . 29 soboltestfunctions . 31 Index 33 randtoolbox-package General remarks on toolbox for pseudo and quasi random number generation Description The randtoolbox-package started in 2007 during an ISFA (France) working group.
  • Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-Based Encryption, Authentication and Authenticated Encryption

    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
  • Presentation

    Presentation

    Side-Channel Analysis of Lattice-based PQC Candidates Prasanna Ravi and Sujoy Sinha Roy [email protected], [email protected] Notice • Talk includes published works from journals, conferences, and IACR ePrint Archive. • Talk includes works of other researchers (cited appropriately) • For easier explanation, we ‘simplify’ concepts • Due to time limit, we do not exhaustively cover all relevant works. • Main focus on LWE/LWR-based PKE/KEM schemes • Timing, Power, and EM side-channels Classification of PQC finalists and alternative candidates Lattice-based Cryptography Public Key Encryption (PKE)/ Digital Signature Key Encapsulation Mechanisms (KEM) Schemes (DSS) LWE/LWR-based NTRU-based LWE, Fiat-Shamir with Aborts NTRU, Hash and Sign (Kyber, SABER, Frodo) (NTRU, NTRUPrime) (Dilithium) (FALCON) This talk Outline • Background: • Learning With Errors (LWE) Problem • LWE/LWR-based PKE framework • Overview of side-channel attacks: • Algorithmic-level • Implementation-level • Overview of masking countermeasures • Conclusions and future works Given two linear equations with unknown x and y 3x + 4y = 26 3 4 x 26 or . = 2x + 3y = 19 2 3 y 19 Find x and y. Solving a system of linear equations System of linear equations with unknown s Gaussian elimination solves s when number of equations m ≥ n Solving a system of linear equations with errors Matrix A Vector b mod q • Search Learning With Errors (LWE) problem: Given (A, b) → computationally infeasible to solve (s, e) • Decisional Learning With Errors (LWE) problem: Given (A, b) →
  • Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange

    Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange

    Overview of post-quantum public-key cryptosystems for key exchange Annabell Kuldmaa Supervised by Ahto Truu December 15, 2015 Abstract In this report we review four post-quantum cryptosystems: the ring learning with errors key exchange, the supersingular isogeny key exchange, the NTRU and the McEliece cryptosystem. For each protocol, we introduce the underlying math- ematical assumption, give overview of the protocol and present some implementa- tion results. We compare the implementation results on 128-bit security level with elliptic curve Diffie-Hellman and RSA. 1 Introduction The aim of post-quantum cryptography is to introduce cryptosystems which are not known to be broken using quantum computers. Most of today’s public-key cryptosys- tems, including the Diffie-Hellman key exchange protocol, rely on mathematical prob- lems that are hard for classical computers, but can be solved on quantum computers us- ing Shor’s algorithm. In this report we consider replacements for the Diffie-Hellmann key exchange and introduce several quantum-resistant public-key cryptosystems. In Section 2 the ring learning with errors key exchange is presented which was introduced by Peikert in 2014 [1]. We continue in Section 3 with the supersingular isogeny Diffie–Hellman key exchange presented by De Feo, Jao, and Plut in 2011 [2]. In Section 5 we consider the NTRU encryption scheme first described by Hoffstein, Piphe and Silvermain in 1996 [3]. We conclude in Section 6 with the McEliece cryp- tosystem introduced by McEliece in 1978 [4]. As NTRU and the McEliece cryptosys- tem are not originally designed for key exchange, we also briefly explain in Section 4 how we can construct key exchange from any asymmetric encryption scheme.
  • The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and Its Applications to Counter Mode

    The Missing Difference Problem, and its Applications to Counter Mode Encryption? Ga¨etanLeurent and Ferdinand Sibleyras Inria, France fgaetan.leurent,[email protected] Abstract. The counter mode (CTR) is a simple, efficient and widely used encryption mode using a block cipher. It comes with a security proof that guarantees no attacks up to the birthday bound (i.e. as long as the number of encrypted blocks σ satisfies σ 2n=2), and a matching attack that can distinguish plaintext/ciphertext pairs from random using about 2n=2 blocks of data. The main goal of this paper is to study attacks against the counter mode beyond this simple distinguisher. We focus on message recovery attacks, with realistic assumptions about the capabilities of an adversary, and evaluate the full time complexity of the attacks rather than just the query complexity. Our main result is an attack to recover a block of message with complexity O~(2n=2). This shows that the actual security of CTR is similar to that of CBC, where collision attacks are well known to reveal information about the message. To achieve this result, we study a simple algorithmic problem related to the security of the CTR mode: the missing difference problem. We give efficient algorithms for this problem in two practically relevant cases: where the missing difference is known to be in some linear subspace, and when the amount of data is higher than strictly required. As a further application, we show that the second algorithm can also be used to break some polynomial MACs such as GMAC and Poly1305, with a universal forgery attack with complexity O~(22n=3).